Practice English Speaking&Listening with: Cyber Insider Threat

Difficulty: 0

Once the red recording light appears we will begin

Hello and welcome to the CDSE

Cybersecurity webinar my name is Noah LaBaron and I'm the Cybersecurity

Curriculum manager

for CDSE and your host for this webinar

Our producer today is Rachel Mongeau and instructional designer with CDSE

and we are joined by our cybersecurity instructor Ms.Rebecca Morgan

Today's topic is Cyber insider threat

Before we get started Rachel will provide you with a ground-rule for today's

webinar and some instruction on how to use the tools you'll need to participate

Okay thank you Noah .Before we get started we're gonna take a quick tour

of this meeting room. In the bottom left hand corner

as marked with a green arrow you're gonna find a notes box this gives you

the call in number and any other announcements.

If you are disconnected from audio this number will always be here on the screen

Be aware that you were able to listen through your computer speakers today.

Also on the screen you'll see our notes regarding

using fullscreen. If you look at the gray banner on top of your screen

you see a full screen option there it's four arrows

and they make a square shape. You can select this button to have a larger view

of the presentation.

However when questions apprear you need to select

it again to return to the normal view and respond our your questions.

Next there is a Q&A box,

you can enter questions to presenters in here, its marked with a blue a arrow it's on the

right hand side of your screen.

Your also gonna find a file share box in a location indicated with a yellow 0:01:38.969,0:01:39.789 arrow here.

We have 4 files in a box today

Your're going to find a webinar slides in there feel free to

download those, print them out and take notes as we go. Here your're gonna see

an example of what a chat question response box looks like.

We're gonna be asking a couple chat questions today, simply

type your response into the chat box. Chat boxes are going to be floating

right over

on top of the question and answer boxes and make sure your out of full screen mode in

order to respond.

Okay this completes our tour of the meeting room.

Back to you.

Thanks Rachel. As Noah said my name is Rebecca Morgan and Noah and I are delighted to have you all

joining us for a very

first Cybersecurity webinar here at CDSE. Many of you may have tunned in to

CDSE's Counterintelligent webinars on Insider Threat

or Potential Espionage indicators earlier this year. I think you'll find today's offerings a

nice complement to those

session. You can find these recordings on our webinar archives if you missed them.

Today we will be focusing on the cyber insider threat.

Looking at the way in which traditional espionage inidcator may manifest

themselves in a cyber environment,

a new indicator specifically related to IT insider threat.

We'll talk about some observable and reportable behavior activities

associated with the Cyber insider threat

and identify best practices to prevent and detect this threat for your


Obviously the technological revolution have changed everything about our lives.

How we conduct business, travel,

bank, date, even the way we spy. Although we're not talking about Counter

intelligence today per say

I think we'd be remiss not to take note of the way the traditional espionage

indicators translate to the cyber environment. Espionage inidcators are really

insider threat indicators excessive behaviors or activity that may indicate

that an individual is engaging in espionage

or another national security crime. All of these directly relate to the reportable

behaviors and activities

under DOD Directive 5240.06

and the NISPOM. As you learned in the CI insider threat webinar back in


if any of these behaviors occur they are reportable

and be persued by the appropriate agency. However it's important to

consider how these may change in the cyber age.

In our globalized economy foreign contacts are more common. You may have

international business partners, you might have studied abroad, maybe even have gone on

an extended TDY.

In the past develop foreign contacts but it may be resulted in a Christmas card

exchange once a year.

Today however it's likely to result

in facebook, instant messaging, email,

texting. How do you determine if someone has a close and continuing foreign


Most likely these internet interactions will take place at least in part

in a digital environment. Also

issues that loyalty or foreign preference will likely be noted in blogs, web

postes or social media.

And not all but certainly very many issues involving this handling of

classified information

our security violations are going to revolve around Information Security Systems.

In the cyber age

some of these well known indicators may even move to obserlesant.

Why travel halfway around the world to meet your spy handler

when you can transmit information by throwing it in Dropbox and

get paid in bitcoin. Knowing that this information

reportable behaviors and activities indicative of espionage

and other national security crime is all housed in a digital environment.

How does it change what will be reported and by whom?

As a Security Officer or FSO or

Information System Security manager, are you seeing regular reports that monitor

annonymous behavior in automated information systems?

What is your cyber security staff level of expertise in identifying such


These are all questions worth asking as you develop your insider threat

in cybersecurity programs that your organization. Another thing to consider

is that insider threat

involves more than just a spy. The term insider encompasses spys, sabators thiefs and more.

The US computer emergency response team joined together

with DoD Personal Security research center

In the conduct of a study called Comparing insider IT sabatoge and espionage and 0:06:04.000,0:06:08.070 they determined that both categories are encompassed in the same threat base

differentiated only by the nature of the damage caused.

The bottom line IT insiders by virtue of legitimate

access to their organizations information systems and networks

pose a significant risk to organization. For example:

Employees experiencing financial problems have found it easy to use the

information systems they use at work every day

to commit fraud. Other employees motivated by financial problems,greed


the desire to obtain a business advantage or they wish to impress a new


have stolen confidential data, proprietary information

or intellectual property. Employees have even used their technical abilities to sabotage

their employers systems

or network in revenge for negative work-related events.

Given a broad range of illicit activities associated with the insider

how would you define the cyber insider threat?

Please enter your responses in the chatbox. 0:07:14.509,0:07:16.150 I see some good answers out there.

Anyone, it could anyone of us,

unhappy employees, we're seeing disgruntled

employees, yeah lots of good answers and really the key to the definition is

access Rachel.

The fiber insider threat has been defined as a current or former employee,

contractor, vendor or other business partner who has or had authorized access

to an organization's network

system or data and intentionally exceeded or misused that access

that access in a manner that negatively affected the confidentiality,

integrity or availability of the organization's information or

information systems. The IT insider threat is

uniquely disturbing because cyberspace offers greater security to the

perpetrator in cases involving insiders.

Although auditors or similar cyber security measures may flag elicit downloads or


insiders may be able to master behavior it can also quickly transfer vast

amounts of data

often causing damage before most organizations even detect the problem.

That problem is exacerbated by our failure to detect malicious IT insider. This was

exhibited in that joint

US cert DoD study which revealed that in cases of insider IT sabatoe and espionage

there were specific commonalities among the cyber insider threat

and amongst the organizations vicitimized. The study found that most sabatores and spies


common personal predispositions that contributed to their risk of committing

malicious acts

and we'll discuss this in detail in a minute. Also in most cases stressful

events including organizational sanctions and unmet expectations in the

workplace things like

reprimands or failure to get an expected promotion, raise, or level of access

contributed to the likelihood of insider

IT sabotage and espionage. In most organizations concerning behaviors were often

observable before

and during insider IT sabotage an espionage

but they were never acted upon. Technical action such as the downloading

use of hacking tools, failure to document activities, unauthorized access and the setup and use of

back door accounts by insiders could have alerted the organization to plan for

ongoing malicious attack. Many organizations ignored or fail to detect

will violations and those were just the facilities that had rules in place. In many

instances there was a complete lack of physical and electronic access controls

to begin with.

So I said we would talk about the personal predispositions noted in the study

and they tended to fall into these categories. Serious mental health

disorders included alcohol and drug addiction,

history of physical spousal abuse, panic attack

and diagnose mental health issues. Personality problems included


bullying, sensitivity to criticism, a sense of entitlement, impulse control

and self esteem deficits. Social skill in decision-making deficits were identified

as conflicts with co-workers, hygiene problems,

extreme shyness and bullying. Finally

a history of rule violations with a parent in many of these cases and

included not just IT related offenses such as hacking

but also petty theft, misuse of resources, falsyfying of information

and other violations of office policy.

So we just spent all this time describing the characteristic of the IT insider

threat when maybe I should have just refered you back to the character of Milton from O:10:50.880,0:10:55.430 Office Space. I don't know how many of you saw or remember that movie, I know Noah and

Rachel both have seen it. Miton was a supremely nurdy co-worker who 0:10:59.720,0:11:04.420 exhibited every trait we just discussed and was subject to all sorts of perceived

or real sanctions and unmet

His included moving his

office to the basement, missing paychecks

he was the one guy not to get cake at the office birthday party

and unforgivably they stole his swing line stapler.

And in the end he turned out to be quite the insider threat

blowing up the office building. But

based on everything we just discussed to describe traits of cyber insider


including the noted personal predisposition, which character is more

cause for concern?

Would it be Milton the socially awkward classic nerd

or Peter the clean-cut well-liked around the office classic cool guy?

Put your responses in the chatbox. Ok, I see a lot of people saying Milton,

a few votes for Peter and a number of you coming up with the answer that is

both. Looks like a lot of people do remember this movie

and I see you've all picked up on that true idea which is of course,

that relying on a profile that all IT insiders are going to look like your

classic geek with tape on the glasses and pocket protectors is false.

The fact is both men are a threat, in the movie Milton may blow up the building but

Peter first used a simple algorythym to rob the company blind.

Although every office has a guy like Milton

someone everybody may make fun of or even feel sorry for and I notice Rachel

making a sad face when I was describing the hygiene issues of our poor guy.

Every office also has a guy like Peter who actually was exhibiting some of the

behaviors as well.

He had conflicts with coworkers however deserving those coworkers may have been.

He might have also had a sense of entitlement, maybe some impulse control

issues as well.

And you may be thinking isn't all the steps

screened out during the hiring process. Well

some of these issues may become apparent during a suitability or

security investigation. Many won't and you can't deny a clearance just because

somebody has b.o.

And also many of these will not become apparent at all

until you work with someone for a while.

Nor is this to say that every insider threat can be reduced to these characters,

the nerd or the flippin too cool for school guy.

Thruthfully anyone with authorized access to your IT systems may pose a threat.

As such we cannot rely on a profile, they need to look at specific behaviors an

activities of individuals

to help us detect and determine melicious insiders.

So we know that the key to

affected detection of fiber insider threat is paying attention to behaviors and


but what kind of things are we talking about? In addition to the traditional

espionage indicators that we mention at the top of the webinar,

which are explored more fully in our counterintelligence offering.

There are information technology specific indicators that have been identified in

cases of cyber

insider espionage and sabatoge. In the espionage cases

they involve a variety of rule violations and harmful technical actions including

downloading use of elicit software or malware, violations of acceptable use

policy and

analyst access. Many of these indicators can be detected through a combination of

technical counter measures and auditing

and all of these actions should be reported.

Things like illicit use of IT tools, violations of policy,

and attempts to hide online activity. Ask yourself, are these activities subject to

monitoring at your organization?

If so, who does the monitoring and where is it reorted?

Many of the inidicators in the sabotage cases were similar

and illustrate the range of behaviors and activities that should be considered


Again policy violations unauthorized deployment of

hardware/software and other IT tools concealment strategies.

Many people think of them as misuse of iT systems, sending risky emails, or

visiting any appropriate websites. And while these activities do pose a problem were

equally if not more concerned with network probing, creation of backdoor

accounts, installation of unauthorized hardware

and the other items identified here. Consider not just the elisted technical

activities but

policy violations. Such as using co-workers machines and access codes, failure or refusual

to document systems or software

and the retention of company property after termination.

These behaviors are all considered reportable activity under DoD directive 5240.6

enclosure 3 which is attached in the fileshare box below.

They can also be reported as adverse information regarding a clear contractor

under the NISPOM chapter 1 302.A. Solicite cyber activity is

a crime like any other and the elements of any criminal activity

natually involve the following factors. Opportunity

which in the case of cyber insider threat comes in the form of access to

information systems.

Motive and really there are as many motives as there are people,

fifteen minutes of fame, ego, new job,

anger, divided loyalty, fear of failure, financial problems, iditology,

emotional needs, that means their really the same things that motivate

any of us to do any number fo things. Mos people who need money

don't spy, they get a second job. Most people disgruntled at work don't commit


they go back to school or look for a new position. People with emotional needs may

get married

or get divorced or whatever might solve that patricular problem.

Know the real factor when it comes to those who commit elicite IT insider events

is the lack of inhabitions to betray which my be caused

by conflicting loyalty or organizational issues that often

hinges on personality problems, excessive ego,

grandiosity and risk-taking personalities for example.

All of these factors are accompanied by some sort of final trigger

often caused by stress-related to drug or alcohol abuse, rejection,

unmet expectations in the workplace, family problems, or other real or perceived

crises by the insider.

When considering

whether an individual represents a cyber insider threat remember that


don't exist in a vacuum and are likely to be accompanied by observable and

reportable behaviors related to these elements as well. Now we've spent a fair

amount of time discussing the malicious insider but

I think it's also important that we document the risks associated with

unwitting or careless insiders.Damage caused by these individuals

relating to unlawful disclosure and the integrity authenticity and availability

of information systems and data

can be just as harmful to your organization. In fact the 2005 FBI study

indicated that these individuals

we're responsible for nearly as many attacks as external perpetrators. 0:18:04.400,0:18:05.910 Unwitting perpetators could include

individuals who wittingly or unwittingly provide sensitive information

or sucumb to social engineering elicatation or other methodologies in

the digital brown.

There are also risks associated with policy violators

including those who make unathorize back up data to work from home.

I don't know if any of you are familiar with the issue that arose at the Veterans

Administration a few years back.

The agency was suffering under an extreme backlog

and in a misguided effort to alleviate the workload an

employee took home a laptop without authorization. The laptop with subsequently

stolen leading to the compromise of personally identifiable

identifiable information of 260.5 million

veterans and active-duty personnel. Yikes! right;

I mean I imagine some of our listeners today may have been among those affected by

this disclosure.

Also don't forget that issues such as accidental deletion or modification of


composed information system security problems as well.

Alright it's time for another chat question.

You guys seem like pretty savvy

cyber awareness folks and given the issues that we've discussed

and despite what I know where you're aggressive efforts in cyber security

training and awareness in your own agencies an

organization. Let's just say an employee reports that they've downloaded an

attachment to an email

which they now suspect may have been militia. How are you going to respond to

that employee?

Let's see some answers in the chat box. I

see reported immediately, disconnecting from the network at the computer,

talking to the security officer, quite a variety of answers.

Actually a lot of good ideas out there

and a lot of you probably have these practices in place right now.

However one of the things I would like to point out is that the same

issues that make an insiders threat also make them

an asset. Your

sytgem users sit right with the greatest vulnerabilities and as the targeted

external threats are really your first line of defense for detecting and


elicit cyber activity. Encouraging these users to report cyber threat information

as well as their own inadvertent policy violations are critical to effective

cyber security. Early detection of malware,

suspicious network activity an the like is essential and can make a difference between

a solvable problem

and an information security nightmare. As such

it's important to consider your response when users report violations.

And I did see a lot of good responses out there. Just remember though

if you fly off the handle or impose harsh sanctions when an individual tells you

about an attachment that they downloaded without authorization, you can bet they're

definitely not gonna tell you about the other time when they shared their


Measure your response to this situation remind your users that early reporting is


and that information security is the primary goal, not

punishment. Alright we've covered a lot of information

regarding cyber insider threat, discussing espionage

indicators in a digital environment, personality traits, specific technical

and behavioral indicators that the cyber insider threat as well as motives and


It's all good stuff but it's sometimes hard to know how to incorporate that into a

successful cyber security program at your organization.

As we discussed many of the potential indicators of cyber insider threat, both


and behavioral, are observable an reportable. Addressing these issues

within your cyber security awareness and training can increase your ability to

detect and deter the cyber insider threat. In addition

having well-planned incident response will not only enhance your capability to

handle current issues

but encourage an open door policy where employees are likely to report

a variety of cybersecurity threats and vulnerabilities to you.

I also find that operational exercises are an extremely effective training tool.

I'm not sure if any of you have heard this a few years ago but the Department of Homeland


took a number of thumb drives and CDs

scuffed them up a little bit adn threw them into the parking lot of a couple a federal

agencies in the DC metro area.

Of those items that were thrown around the parking lot, over ninety percent were

retrieved by federal employees

and of the retrieved items sixty percent were immediately deployed

on to federal computer workstations. Not brought to the IT desk, not brought to the

FSO, but

put directly into the systems. Now this was an operational exercise

and the materials were provided by DHS.

It amounted to basically a gotcha for those individuals.

But if that's any indication of how individuals behave with this type of


it shows that we've got a big problem on our hands.

Employing an exercise like this is far more effective than just giving a briefing

or maybe doing a point and click type of presentation.

Not that this will prevent everyone from engaging in this behavior

but I guarantee the folks involved, probably the co workers as well,

those individuals that deployed the Memory Stick

will never do it again.

There's some other factors that can enhance your ability to prevent and detect cyber

insider threats.

When establishing best practices it's important to consider a multi-layered

multi-disciplined approach. In addition to following information assurance

guidelines for employing

technical measures designed to protect information systems.

Consider the roles of personnel security, help for perhaps in identifying some of the personnel

issues which may contribute to cyber insider threat.

Physical security which can impact access and other factors,

as well as industrial security, foreign ownership control, influence issues,

supply chain, risk mitigation, operation security and

Continuity of Operations Planning. It's only by incorporating

each of these security disciplines enter the application of the defense application


hat we can begin to mitigate our approach by limiting access,

increasing reporting in detection, honing our responses

an deploying effective deterrent. Please see the cybersecurity

and best-practice documents identified in the fiel share box below

for more information on the prevention and detection of fiber insider threat.

As we discussed elicit cyber incidents both external and insider based are


under DoD directive D5240.6 enclosure 3.

A copy of the directive is located in the file Share box.

Insider cyber incidents are also subject to reporting under the National Industrial

Security program,

under NISPOM chapter 1, 301 and 1-302a.Cyber

insider threats have become increasingly sophisticated

and the harmony inflicted causes more damage to our economy, our companies and our


than most external threats combined. Please remember,

you truly are our first line of defense in an effort to detect, deter and defeat

the cyber insider threat.

No one sits closer to our most critical assets or better understands our most


than you. And in the case of the cyber insider,

no one else may be closer to our greatest threat,a threat that could linger

just across the conference table 0:25:22.540,0:25:26.380 or down the hall. I'm looking at you Rachel.

No, she doesn't exhibit any of the behavior but anybody could.

I want to thank everybody for tunning into our first Cybersecurity webinar

series. We hope you'll join us for our next presentation on Trusted Downloads

coming out this summer.

I'll pass it back to our curriculum manager Noah LeBaron.

Thank you Rebecca for that amazing presentation. Let's look at some of the 0:25:46.659,0:25:49.909 questions that came in during the webinar.

First question, who is required to have a program for cyber insider threat?

For Federal Agencies, White House memorandum dated 11/27/2012,

handling guidance for the National insider threat policy and minimum standard,

under Executive Order 13587,

requires the establishment of an entire threat program.

Next question, what exactly is the requirement for industry?

At this time there's no NISP requirement for industry to establish an insider

threat program.

However, conforming change in the NISPOM, expect that in FY15

will likely have insider threat program requirements.

Next question, can you provide examples of reportable CI events?

In addition to the items mentioned in the webinar slides, please refer to

DoD Directive a 5240.06,

included as a downloadable file in this webinar.

Last question, which industries best practices or strategies can lower

level information assurance practicioners to use the best to medigate this

threat? Following the best practices just in our downloadable handouts,

an employee in a multidisciplinary approach can be very effective in


the terrain and neutralizing the cyber insider threat.

Anyway, we have run out of time to answer remaining questions,

however we will answer those questions off line and be sure to post responses

along with the trend script from today's webinar.

Your feedback on

today's webinar is very important to us an is greatly appreciated. So I hope you'll

take a moment to participate in the short survey

and since we are always looking for ideas for future webinar topics,

if there's a topic you would like to see, make sure to identify that topic or

topics in your survey.

The survey may now be visible on your screen or may appear as a new tab

on your web browser. Thanks to everyone for

joining us today. As Rebecca mentioned at the start of our webnar our previous

entire threat

and PEI webinars also provide

relevant training. We've provided the link to these webinars

here. Also please be sure to visit the

CDSE Cyber Security web page and check out some of our exciting offerings


e-learning, instructor-led courses and shorts. For Rebecca Morgan,

Rachel Montgeau and all of CDSE this is Noah LeBaron

saying thanks for spending your time with us today.

Have a great day.

The Description of Cyber Insider Threat